Hi Justus, Justus Winter <jus...@sequoia-pgp.org> skribis:
> Ludovic Courtès <l...@gnu.org> writes: [...] >> Signature verification in (guix openpgp) does just that: signature >> verification. It does not validate signature and key metadata, in >> particular expiration date. I guess it should at least error out when a >> signature creation time is newer than its key expiration time. > > Indeed. I skimmed both the original and the adapted code, and it > notably does no attempt to canonicalize the certificates in the keyring > (i.e. checking binding signatures, lifetimes, revocations, (sub)key > flags...). While that is a bit dangerous, it is okay for a point > solution for Guix, provided that this is properly documented and > communicated. > > One can forgo canonicalization if one assumes that the keyring is > curated, and one has a good-list of (sub)keys fingerprints that are > allowed to create signatures. Reading git-authentiate.scm that does > seem to be the case. Yeah, the (guix openpgp) module is good enough for this narrow use case, but I agree that people shouldn’t view it as a viable signature-only OpenPGP implementation in the general case. I’ll clarify this at least in the source file. > (I bet that certificate canonicalization is the major reason why calling > out to gpgv is so slow: it does that every time, and it involves > signature verification, which is slow (yes, I'm looking at you, RSA).) I see. >> It should also reject SHA1 signatures, at least optionally (I haven’t >> checked whether our Git history has any of these). > > I believe it should. For reference, we reject SHA1 signatures for > signatures created since 2013. Sounds good, I’ll do that. >> Next steps: >> >> • Clean up the (guix openpgp) API a bit, for instance by using proper >> SRFI-35 error conditions. Perhaps handle v5 packets too. > > Don't bother with v5 packets for now. The RFC is nowhere near > completion, and even if it is one day, it will be quite some time until > you see these packets in the wild. Alright, even better. Thanks for taking the time to look into it! Ludo’.
